需求
初步想法是用Nginx將所有服務(wù)的請(qǐng)求輸出到日志上祈,再由收集器將日志 收集起來->解析->存儲(chǔ)培遵。收集所有服務(wù)的請(qǐng)求日志炕泳,存儲(chǔ)以供后續(xù)使用。
使用ES家族的 filebeat 收集NG日志,可是收集到的日志不太好解析登刺,而且還增加個(gè)時(shí)間字段籽腕,轉(zhuǎn)換某些字段等操作,后來想法是再寫個(gè)服務(wù)(或Logstash)吧 Filebeat調(diào)這個(gè)服務(wù)纸俭,由這個(gè)服務(wù)做處理解析节仿。但是又感覺太重了,偶然發(fā)現(xiàn) ES 原生 已經(jīng)支持?jǐn)?shù)據(jù)處理(filter)了掉蔬。
于是花了半天研究了下,下面把坑矾瘾、和使用方法都記一下女轿。
具體參考了優(yōu)秀的這篇文章:
關(guān)于 Ingest Node/Pipeline 的詳解。贊壕翩!
https://www.felayman.com/articles/2017/11/24/1511527532643.html
還有官方文檔:
https://www.elastic.co/guide/en/elasticsearch/reference/current/handling-failure-in-pipelines.html
先看下效果吧:
【源】NG log
61.50.98.62 - [08/Jan/2019:13:11:09 +0800] "GET /images/index/img05_11.jpg HTTP/1.1" 200 312473 "http://vipcode.cn/" - 0.210 0.052 100.118.58.9:80 200 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36
要做的事情:
- 增加 gmt_create 記錄數(shù)據(jù)時(shí)間蛉迹。
- 將以空格分隔的NG日志 解析為 圖中的K->V
解決過程:
- create index ... 略過。
- 創(chuàng)建pipeline(processor)增加gmt_create
- 創(chuàng)建pipeline(processor)解析 ng log
2放妈、3步最終是要合一起的北救,一個(gè)processor即增加了時(shí)間也解析了格式;可我初次試驗(yàn)的時(shí)候是分開調(diào)試的芜抒。
其中用到了 set 和 grok (在上面的連接中有介紹)
_ingest/pipeline/nglogproc
這里坑有兩個(gè)珍策,
- {{_ingest.timestamp}} 存到ES里的時(shí)間是UTC0的時(shí)間,晚于國(guó)內(nèi)8小時(shí)宅倒。
- grok 的調(diào)試比較煩人攘宙,雖說寫比較容易,比對(duì)數(shù)據(jù)是最耗時(shí)的拐迁。
最后患雏,post ES 處理保存數(shù)據(jù):解決方案:
- 因?yàn)?_ingest.timestamp 是ES生成的蹭劈,沒有找到通過哪個(gè)配置能修改,想了一晚上最后想編譯源碼解決去了线召。還好铺韧,不用管,Kibana會(huì)正常顯示缓淹、檢索哈打。
- Grok語法和內(nèi)置的表達(dá)式網(wǎng)上有很多塔逃,熟悉一下然后 根據(jù)這個(gè)調(diào)試器
http://grokdebug.herokuapp.com,一點(diǎn)點(diǎn)來吧前酿。
沒有出錯(cuò)就是文章開始的效果圖了,_ingest.timestamp 不會(huì)出錯(cuò)罢维,會(huì)出問題的多半出在grok和源數(shù)據(jù)不匹配的問題里淹仑,錯(cuò)誤里會(huì)有部分提示。
One more thing, 貼出我的 grok
Log1:
112.17.88.223 - [08/Jan/2019:10:49:08 +0800] "GET /open_008/08_img6.png HTTP/1.1" 200 1445 "https://www.vipcd.com/_zh/open_008.min.css" - 0.005 0.004 59.110.185.113:80 200 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Log2:
39.104.152.143 - [08/Jan/2019:17:34:18 +0800] "GET / HTTP/1.1" 200 9262 "-" - 0.032 0.031 172.17.231.247:8080 200 Go-http-client/1.1
Log3:
39.82.11.241 - [22/Jan/2019:16:53:04 +0800] "GET /v1?uuid=vipcode2165376223244&uid=154814718762578s5dfaco&project=act&logType=pv&logVersion=1.0&refer=&ua=Mozilla%2F5.0%20(iPad%3B%20U%3B%20CPU%20OS%205_0%20like%20Mac%20OS%20X%3B%20en-us)%20AppleWebKit%2F534.46%20(KHTML%2C%20like%20Gecko)%20Version%2F5.1%20Mobile%2F9A334%20Safari%2F7534.48.3&subType=guangdiantong%7C%7ChasCode&screensize=w800||h1280&url=http%3A%2F%2Fact.vipcode.com%2Fmps%2Fproduce%2F1545381467902%2Fpc%2Findex.html%3FstClId%3D7%26sLClId%3D0%26plId%3D0%26unId%3D0%26kwd%3D%26lGPId%3D150%26acId%3D0%26pSId%3D28%26acPFlag%3D0%26sFFlag%3D0%26remark%3D113Lllq122105%26qz_gdt%3Df7mumxf7aaaoaehyrkya HTTP/1.1" 200 1 "http://act.vipcode.com/mps/produce/1545381467902/pc/index.html?stClId=7&sLClId=0&plId=0&unId=0&kwd=&lGPId=150&acId=0&pSId=28&acPFlag=0&sFFlag=0&remark=113Lllq122105&qz_gdt=f7mumxf7aaaoaehyrkya" - 0.000 - - - Mozilla/5.0 (iPad; U; CPU OS 5_0 like Mac OS X; en-us) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
Grok:
%{IP:client} %{USER:user} \[%{HTTPDATE:http_date}\] \"%{WORD:method} %{NOTSPACE:http_uri} HTTP/%{NUMBER:http_ver}\" %{NUMBER:http_st_ng} %{NUMBER:bytes} \"(?<referer>https?://[^ ]+|-)\" (?<x_forwarded_for>[0-9]+(\.[0-9]+){3}(?:, [0-9]+(\.[0-9]+){3})*|-) %{NUMBER:rsp_time1} (?:%{NUMBER:rsp_time2}|-) (?<target_server>[0-9]+(\.[0-9]+){3}(:[0-9]+)?|-) (?:%{NUMBER:http_st_server}|-) (?<u_agent>.*$)
nglogproc Pipleline:
{
"description": "nginx log processor",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{IP:client} %{USER:user} \\[%{HTTPDATE:http_date}\\] \"%{WORD:method} %{NOTSPACE:http_uri} HTTP/%{NUMBER:http_ver}\" %{NUMBER:http_st_ng} %{NUMBER:bytes} \"(?<referer>[^\"]+|-)\" (?<x_forwarded_for>[0-9]+(\\.[0-9]+){3}(?:, [0-9]+(\\.[0-9]+){3})*|-) %{NUMBER:rsp_tn} (?<rsp_ts>[0-9.]+(, [0-9.]+)*|-) (?<tar_server>[0-9]+(\\.[0-9]+){3}(:[0-9]+)?(, ([0-9]+(\\.[0-9]+){3}(:[0-9]+)?))*|-) (?<http_st_server>[0-9]+(, [0-9]+)*|-) (?<u_agent>.*$)"
],
"on_failure": [
{
"set": {
"field": "g_err0",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"set": {
"field": "gmt_create",
"value": "{{_ingest.timestamp}}"
}
},
{
"grok": {
"field": "http_uri",
"patterns": [
"/v\\d+\\?uuid=(?<uuid>[^&]*+)&uid=(?<uid>[^&]*+)&project=(?<project>[^&]*+)&logType=(?<logType>[^&]*+)&logVersion=(?<logVersion>[^&]*+)&refer=(?<refer>[^&]*+)&ua=(?<ua>[^&]*+)&subType=(?<subType>[^&]*+)&screensize=(?<screensize>[^&]*+)&url=(?<url>.*+$)"
],
"on_failure": [
{
"set": {
"field": "g_err1",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "ua",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "url",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "screensize",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
},
{
"urldecode": {
"field": "subType",
"on_failure": [
{
"set": {
"field": "g_err2",
"value": "{{_ingest.on_failure_message }}"
}
}
]
}
}
]
}
這種方式的好處是非常簡(jiǎn)便肺孵,缺點(diǎn)是容錯(cuò)率非常低對(duì)格式有著嚴(yán)格的要求匀借。
不過慶幸的是其提供了“當(dāng)錯(cuò)誤發(fā)生時(shí)你要做的事情 —— on_failure ”
Filebeat 使用 Pipeline
http://www.axiaoxin.com/article/236/
在FB配置文件中增加配置即可。
